Date: Wed, 25 Sep 2013 14:33:14 +0000 From: Moritz Naumann <security@...itz-naumann.com> To: oss-security@...ts.openwall.com, kseifried@...hat.com CC: security@...plemachines.org Subject: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities On 24.09.2013 14:17 +0000, Henri Salo wrote: > On Mon, Sep 16, 2013 at 07:23:52PM -0600, Kurt Seifried wrote: >> Can you provide a summary of the diff? thanks. [..] > XSS in index.php?action=admin;area=manageboards;sa=newboard;cat=1 "board_name" > Requires admin account > PoC: "><BODY ONLOAD=alert('XSS')> > Verified in 2.0.4 > Not fixed in 2.0.5 > > SMF guys, this CSRF should help to verify this issue. Can you fix this in next > release? Contact me in case you need help. > [..] This CSRF doesn't work for me on two 2.0.4 installations I tested on. Both return Unable to verify referring url. Please go back and try again. There seems to be a CSRF protection in this hidden form field: <input type="hidden" name="e2b8c5b3437" value="bdcc798a0a86fa141da538f7c3a6ec42" /> So this doesn't seem exploitable this way (but it also doesn't make the XSS bug vanish in the haze, either). To clarify, I'm a SMF user (and independent tester) not affiliated with the SMF developers. Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.